SAS 55 and the small business engagement. (Statement of Accounting Standard 55)(includes related article)

by Smith, L. Murphy

Abstract- The Auditing Standards Board's Statement of Accounting Standard No (SAS) 55 has caused confusion among accounting practitioners regarding its interpretation and implementation. Entitled 'Consideration of the Internal Control Structure in a Financial Statement Audit,' SAS 55 was introduced to establish a relationship between financial statement assertions and the assessment of control risk. The minimum requirements of the standard include getting a clear understanding of the internal control structure, documenting comprehension of this structure, evaluating control risk, documenting assessment of control risk, exploring the viability of additional reductions in control risk, and determining the extent of substantive tests for financial statement assertions. The AICPA has released Audit Guide, 'Consideration of the Internal Control Structure in a Financial Statement Audit' to clarify SAS 55, which practitioners for small businesses may use.

Understanding and applying SAS 55 to audits of small businesses is a
challenge for many small practitioners. The concept of assessing control
risk is not natural to them. Some CPAs are puzzled with the minimum
documentation requirements. Others are perplexed about how they can most
efficiently and effectively comply with and perhaps even benefit from
SAS 55. Here is a summary of the requirements and some suggestions on
how it can be implemented.

Since the issuance of SAS 55 Consideration of the Internal Control
Structure in a Financial Statement Audit, concern has been expressed
about its interpretation and application.

To address these needs, the AICPA has issued an Audit Guide,
Consideration of the Internal Control Structure in a Financial Statement
Audit, with numerous exhibits illustrating the work papers an auditor
might prepare in complying with SAS 55. Some of the narratives and
exhibits in the guide deal specifically with the audit of a typical
small business called Ownco. It may be difficult to apply SAS 55 without
knowledge of the guide.

While the guide appears as a formidable document (262 pages), the
illustrations relating to the small business audit are readily
identifiable and not difficult to understand or use.

The Auditing Standards Board issued SAS 55 to link financial statement
assertions (SAS 31, Evidential Matter) with the assessment of control
risk (SAS 47, Audit Risk and Materiality in Conducting an Audit). Prior
standards were deemed deficient in terms of the guidance provided to
auditors in assessing the types of material financial misstatements that
could occur and the probability of such misstatements actually
occurring. These issues were problems for audits of all sizes but were
particularly troublesome for emerging or small business engagements. A
summary of the requirements of SAS 55 is described in Exhibit 1.

Understanding the Internal Control Structure

SAS 55 requires an auditor to obtain an understanding of an entity's
control structure sufficient enough to plan the audit no matter what its
size. The audit plan, in accordance with SAS 53, The Auditor's
Responsibility to Detect and Report Errors and Irregularities, should be
comprehensive enough to provide reasonable assurance of detecting
material misstatements and/or irregularities.

Financial statement assertions are listed in Exhibit 2. The assessment
of control risk must be linked to these assertions. After obtaining an
understanding of the control structure, the auditor assesses control
risk for the assertions embodied in the account balances, transaction
classes, and disclosure components of the financial statements. The
understanding of the control structure includes three elements: control
environment, accounting system, and control procedures. The auditor's
understanding of all three elements must be documented. However, in
cases where control risk is assessed at the maximum, no additional work
would be required to obtain an understanding of the control procedures.
SAS 55 states:

. . . as the auditor obtains an understanding of the control environment
and accounting system, he is also likely to obtain knowledge about some
control procedures. The auditor should consider the knowledge about the
presence or absence of control procedures obtained from the
understanding of the control environment and accounting system in
determining whether it is necessary to devote additional attention to
obtaining an understanding of control procedures to plan the audit.
Ordinarily audit planning does not require an understanding of the
control procedures related to each account balance, transaction class,
and disclosure component in the financial statements or to every
assertion relevant to those components.

An auditor is therefore required to gain an understanding of both the
control environment and accounting system and, to some extent, depending
on the assessment of control risk, specific control procedures as well.

Emerging or small businesses have unique characteristics which affect
the development of audit plans and how the auditor assesses control
risks. For example, inadequate segregation of duties and the lack of
proper supervision is present in many cases. For this reason, as well as
audit efficiency, the audit strategy for emerging or small businesses
has traditionally been primarily a substantive test approach.

Control Environment. SAS 55 describes an entity's control environment as
the overall attitude of the board of directors (if any), and that of the
management/owners about the importance and effectiveness of internal
controls. Since the owner/manager's emphasis on internal control chiefly
determines the characteristics of the control environment in a small
business, the control environment is a key source of information
regarding the type and extent of potential misstatements.

The Accounting System. SAS 55 requires the auditor to obtain a
sufficient understanding of the accounting system, regardless of
complexity, to identify all significant classes of transactions that
affect the financial statements. The auditor should understand how these
transactions are initiated, classified, and recorded in accordance with
GAAP.

The Control Procedures. SAS 55 recognizes that when obtaining an
understanding of the control environment and the accounting system, the
auditor may obtain an understanding of certain control procedures
sufficient to assess control risk at less than the maximum. For example,
the auditor will have observed, if not inspected, the client's bank
reconciliations, inventory system, accounts receivable aging analysis,
cancellation of paid invoices, reconciliation of cash register tapes,
and the use of prenumbered documents. If a primarily substantive
approach is used, additional detail testing of control procedures for a
small or emerging company is generally not performed because a further
reduction in control risk, as discussed later, is neither warranted nor
desired by the auditor.

Documentation of Understanding of Internal Control Structure

Memorandums, questionnaires, and flowcharts are commonly used methods to
document the understanding of a client's internal control structure.
However, for an emerging or small business with a simple internal
control structure, memorandums may be sufficient. As the size and
complexity of a business and the intricacies of the internal control
structure increase, then flowcharts or questionnaires may be helpful.

Examples of documenting the auditor's understanding of an internal
control structure for an emerging or small business are illustrated in
the AICPA Guide. Although flowcharts are used in documentation,
memorandums may be sufficient in many cases. For recurring engagements,
the auditor may simply update the previous flowchart, questionnaire, or
memorandum for any changes.

Keep in mind that the purpose of acquiring an understanding of the
internal control structure is for the auditor to "obtain a sufficient
understanding of each of the three elements of the entity's internal
control structure to plan the audit of the entity's financial
statements." Thus, audit planning does not require an understanding of
the control procedures for every transaction cycle, account balance, or
disclosure component. As noted earlier, the knowledge that the auditor
obtains about control procedures while trying to understand the
accounting system and the control environment of an emerging or small
business may be sufficient to satisfy the requirements of SAS 55.

Assessing Control Risk

The assessment of control risk is usually made in qualitative terms:
maximum, substantial, moderate, or low, but some auditors prefer
expressing the assessment in percentages. When assessing control risk,
the auditor should consider the combined aspects of the three components
to the internal control structure (i.e., control environment, accounting
system, and control procedures).

Risk Assessed at the Maximum. For an emerging or small business, the
need to assess control risk for every account balance and the related
assertions may be unnecessary. The AICPA Guide offers an alternative.
For an emerging or small business audit, the auditor might make a
statement such as the following: "Control risk is assessed at the
maximum for all assertions for all account balances and transaction
classes except as identified." After making such a statement in the
workpapers, the auditor is not obligated to explain the control risk
assessment for an assertion relating to an account balance or class of
transactions where such risk assessment is at the maximum. Also, since
in many small audits, the auditor prepares the financial statements
including disclosures, there is no need to assess control risk for the
assertion of presentation and disclosure.

The maximum level of control risk is defined in SAS 55 as "the greatest
probability that a material misstatement that could occur in a financial
statement assertion will not be prevented or detected on a timely basis
by an entity's internal control structure." A maximum control risk
assessment is warranted in at least two instances: 1) when the auditor
cannot discern any meaningful policies and procedures for a respective
management assertion and 2) when the auditor decides that it would be
inefficient to determine the effectiveness of the control procedures. In
these cases, the auditor is better off going directly to a substantive-
test audit strategy to evaluate the reliability of the financial
statements.

Risk Assessed at Less than Maximum. SAS 55 recognizes that each
assertion for each account balance may have varying levels of risk and
the auditor may consider this when planning and executing the various
substantive tests. For example, if during the process of gaining an
understanding of the control environment and the accounting system, the
auditor observes that cash is deposited daily, bank reconciliations are
prepared on a timely basis, reconciliations are reviewed by the
owner/manager, cash disbursements are supported by proper documentation,
and documentation is canceled to prevent re-use; the auditor may assess
control risk at less than the maximum level for the existence assertion
for the cash account.

If control risk can be set at less than maximum, the auditor may then
reduce the extent of substantive tests, such as limiting the number of
bank accounts to be confirmed or reducing the number of canceled checks
to be examined with post-balance sheet bank statements. On the other
hand, if control risk was assessed at a maximum for the cash "existence"
assertion, then the nature, timing, and extent of substantive tests for
cash would necessarily increase to provide more persuasive evidence.

While obtaining an understanding of a company's internal control
structure, the auditor may see other areas for which control risk may be
assessed at less than maximum. For example, the recording of inventories
may present such an opportunity. In today's business environment where
the use of PCs is common, some emerging businesses will have automated
inventory packages that keep track of sales and purchases by units.
Costs of goods sold is automatically debited when a sale is recorded. In
an automated system, inventory items are keyed-in by product number,
description, sales price, cost bar codes, and numerous other accounting
and operating data. But some emerging businesses do not have the time,
expertise, or the money to invest in such inventory systems. These
companies instead may rely on a perpetual card system on which necessary
information is maintained. Where perpetual inventory systems are
verified and adjusted by physical counts during the year, the auditor
may be able to assess control risk at less than the maximum. Less
substantive tests would be required than when a year-end physical count
is the sole basis for the existence and completion assertions relating
to inventory.

Other companies may periodically take a physical inventory; book-to-
physical adjustments would be reviewed by the auditor. This would be
appropriate for most small retail establishments that sell to walk-in
customers. In addition, when these companies order additional
merchandise for re-sale, they usually do so through area product sales
representatives. Some of these representatives make house calls; they
visit a retail establishment and discuss the inventory needs of that
company. To access the inventory needs, an inventory of that particular
product may be taken. The auditor may be able to rely on one or all of
the above, if appropriate, to assess control risk at less than the
maximum for inventory.

In addition, because some small businesses are labor intensive, there
may be considerable risk surrounding the payroll functions. As a result,
the control risk for the completeness and valuation assertions may be
set at the maximum. However, if payroll tax forms are filed on a timely
basis and are reconciled to the client's record, observation of these
procedures may be sufficient evidence to assess control risk at less
than the maximum.

The descriptions given for cash, inventories, and payroll are examples
of how risk may be assessed at less than the maximum. Further reductions
in the assessed level of control risk may be possible if the auditor
performs more extensive tests of controls. For example, to lower the
assessed level of control risk for cash balances, the auditor could
again perform bank reconciliations or observe that the reconciliations
are prepared by someone having no other cash responsibilities and that
reconciling items are adequately supported. The auditor may also
identify controls in the sales and purchasing cycles, if these
transactions are significant in number, to ensure the completeness and
accuracy of cash receipts and cash disbursements.

Documentation of Assessment of Control Risk

In addition to documenting the understanding of the internal control
structure, the auditor is also required to document the basis for
conclusions about the assessed level of control risk. When control risk
is assessed at the maximum, the auditor needs to document this finding
in the workpapers, but there are no requirements for documenting the
basis used or for explaining why the assessment was set at the maximum.
However, if control risk is determined to be below the maximum level,
the auditor is required to document the basis for such an assessment.

If control risk is assessed at below the maximum level, the auditor is
required to 1) identify "specific internal control policies and
procedures relevant to specific assertions that are likely to prevent or
detect material misstatements in those assertions" and 2) perform "tests
of controls to evaluate the effectiveness of such policies and
procedures." Of course, the auditors' conclusions are a matter of audit
judgement which should be influenced by the type, source, and timeliness
of the evidential matter.

In an audit of an emerging or small business, the auditor may decide to
rely primarily on a substantive approach. Therefore, risk assessment
will be set at the maximum level for most assertions. Again, the basis
for assessment is not required when control risk is set at a maximum.
The AICPA Guide illustrates the workpaper documentation required for the
assessment of risk.

Not So Bad

At first glance, work associated with SAS 55 appears to be burdensome--
the three elements of the internal control structure (the control
environment, the accounting system, and the control procedures) have to
be understood and documented, and an assessment of risk needs to be made
and documented for each account or group of transactions for each of
five management assertions. However, the work required may not be as
demanding as would first appear.

In the case of small or emerging businesses, the auditor frequently
relies heavily on substantive tests of year-end balances and sets
control risk at a maximum for all account balances, and thus will need
only a statement documenting that risk was set at the maximum for all
assertions for all accounts. However, the auditor may have actually
confirmed the effectiveness of certain control procedures while
obtaining the necessary understanding of the control environment and the
accounting system. For example, the existence and completeness
assertions for cash may be assessed at less than the maximum if the
auditor has observed that the bank reconciliations are being prepared on
a timely basis or that the owner/manager maintains close tabs on the
cash balance by effectively monitoring the cash receipts and
disbursements on a daily basis. The use of a perpetual inventory system
(manual or automated) may allow the auditor to reduce control risk for
the inventory's existence and completeness assertions. The day-to-day
operational task of buying merchandise through sales representatives may
also provide the auditor with some comfort that inventory control risk
should not be assessed at a maximum level for some assertions.

SAS 55 allows the auditor to assess control risk at the maximum for
assertions for some accounts but less than maximum for others. The
auditor is not required to conduct tests for every assertion for every
account balance or class of transactions. If, as in the previous
examples, the auditor can assess control risk at less than maximum, he
or she should take advantage of this opportunity to increase the audit's
overall efficiency. The key point is that the purpose of assessing
control risk below the maximum for an assertion is to reduce the overall
audit effort in reaching the conclusion that the financial statements
are not materially misstated.

* Obtain a Sufficient Understanding. Obtain a sufficient understanding
of each of the three elements of internal control to plan the audit. The
understanding of the internal control structure should be used to
identify types of potential misstatements, to consider factors that
affect the risk of material misstatement, and to design substantive
tests. This knowledge is ordinarily obtained through inquiries of
appropriate personnel, from similar inquires made during previous audits
of the entity, inspection of documents, and observation.

* Document the Understanding. Document the understanding of the entity's
internal control structure elements. This documentation may include
flowcharts, questionnaires, decision tables, and memorandums. However,
for audits of small businesses, memorandums may be sufficient.

* Assess Control Risk. Assess control risk for the assertions embodied
in the account balance, transaction class, and disclosure components of
the financial statements.

* Document Control Risk Assessment. When control risk is assessed at the
maximum, the auditor needs only to make a statement in the workpapers
that such is the case. In this case, the assurance level provided by
substantive tests will be greater than when control risk is assessed at
below maximum. When control risk is assessed below the maximum, the
auditor should document the basis for assessing the control risk below
the maximum. Some of this evidence will be gathered while obtaining an
understanding of the internal control structure. Types of evidential
matter in assessing control risk at less than maximum include inspection
of documentation, observation, reperformance, and inquiries. Evidential
matter obtained in prior audits may also be considered in assessing
control risk in the current audit. However, inquiries alone generally
will not provide sufficient evidential support. No specific test of
controls is always necessary, applicable, or equally effective in every
circumstance.

* Consider a Further Reduction in Control Risk. After obtaining an
understanding of the internal control structure and assessing control
risk, the auditor may want to further reduce control risk for certain
assertions. If so, additional tests of controls are necessary to provide
such evidence.

* Determine Extent of Substantive Tests. The auditor uses the knowledge
provided by the understanding of the internal control structure and the
assessed level of control risk to determine the nature, timing, and
extent of substantive tests for financial statement assertions.

EXHIBIT 2 FINANCIAL STATEMENT ASSERTIONS

* Existence or Occurrence. Assets or liabilities of the entity exist at
a given date and recorded transactions have occurred during a given
period.

* Completeness. All transactions and accounts that should be presented
in the financial statements are so included.

* Rights and Obligations. Assets are the rights of the entity and
liabilities the obligations of the entity at a given date.

* Valuation or Allocation. Assets, liabilities, revenue, and expense
components have been included in the financial statements at appropriate
amounts.

* Presentation and Disclosure. Particular components of the financial
statements are properly classified, described, and disclosed.

The
CPA Journal is broadly recognized as an outstanding, technical-refereed
publication aimed at public practitioners, management, educators, and
other accounting professionals. It is edited by CPAs for CPAs. Our goal
is to provide CPAs and other accounting professionals with the information
and news to enable them to be successful accountants, managers, and
executives in today's practice environments.